Dark Reading: New Tool Shields Organizations From NXDOMAIN Attacks

Attacks against the Domain Name System (DNS) are numerous and varied, so organizations have to rely on layers of protective measures, such as traffic monitoring, threat intelligence, and advanced network firewalls, to act in concert. With NXDOMAIN attacks on the rise, organizations need to strengthen their DNS defenses.

Akamai has released a new tool to help, as my story for Dark Reading describes.

The cybsersec gender gap is still wide

A new study by Women in Cybersecurity paints yet another dismal picture of the gender gap. This time it dives into its potential causes. The study is based on surveying both men and women across 20 different organizations. Women encounter problems at twice the rate of men, especially when it comes to their direct managers and peer workers. The glass ceiling is still very much in evidence. It is a sad description of where and who we are, including disrespectful and sexually inappropriate behaviors, underappreciated skills and experience, and requests to do menial tasks (she’ll take the meeting notes).

“Organizations have a clear opportunity to significantly boost their financial results and employee satisfaction by addressing these disparities,” said one of the report’s authors. The revenue impact could be significant due to this differential treatment of women and people of color. You would think that would be obvious by now.

I am ashamed about our industry that continues to make this news, year after year. Back in 2013, I attended one of the Strangeloop conferences, which always were notable in how many women presenters they had. I wrote a follow-up piece in Biznology a few years ago, tracking down some of the women that I initially wrote about. I ended that piece with the suggestion that we should follow some people on Twitter who don’t look like you and widen your focus and perspective.

Well, Twitter turned out well, didn’t it? Perhaps follow folks on LinkedIn now. You might want to take a listen to the “bit of fun” Mark Cuban is having at Elon’s expense on diversity, when he was interviewed by Lex Fridman (here is a 35 min. excerpt). He makes some great points on why it works.

Speaking of conferences, it wasn’t all that long ago when attending RSA, you wouldn’t find many women speakers. Last year’s event even had an all-women panel of female all-stars talking about threat response. I guess that is progress.

And in 2016 I wrote about how female engineers were scarce. Back then, I said: “It is time that all companies adapt to a more diverse workforce if they want to succeed. And we need to be on the leading edge in tech.” It is still time.

Dark Reading: Electric vehicle charging stations still have major cybersecurity flaws

The increasing popularity of electric vehicles isn’t just a favorite for gas-conscious consumers, but also for cyber criminals that focus on using their charging stations to launch far-reaching attacks. This is because every charging point, whether they are inside a private garage or on a public parking lot, is online and running a variety of software that interacts with payment systems and the electric grid, along with storing driver identities. In other words, they are an Internet of Things (IoT) software sinkhole.

In this post for Dark Reading, I review some of the issues surrounding deployment of charging stations, what countries are doing to regulate them, and why they deserve more attention than other connected IoT devices such as smart TVs and smart speakers.

CSOonline: A dozen of the top data security posture management tools

Tracking down sensitive data across your cloud estate can be vexing. By their very nature, cloud computing is dynamic and ephemeral. Cloud data is easily created, deleted or moved around. Correspondingly, the cloud attack surface area is equally dynamic, making protection measures more difficult. Over the past few years, a group of tools called data security posture management (DSPM) have been developed to discover both known  and unknown data, provide some structure and manage the security and privacy risks of its potential exposure. In my post for CSOonline today, I look at a dozen different tools from Concentric AI, Cyera, Eureka Security, Normalyze, OneTrust, Palo Alto Networks, IBM, Securiti, Sentra, Symmetry Systems, Varonis and Wiz. (A summary comparison table can be found here.)

These tools will require a significant amount of staffing resources to evaluate because they touch so many different aspects of an enterprise’s IT infrastructure. And that is a good thing, because you want them to seek out and find data no matter under what digital rock they could be hiding. So having a plan that prioritizes which data is most important will help focus your evaluation. Also a good thing is to document how each DSPM creates its data map and how to interpret it and subsequent dashboards. Finally, you should understand the specific cloud services that are covered and which ones are on the vendor’s near-term product roadmap too.

Gmail at 20, RIP Dan Lynch

Writing a computer-themed column appearing today can be a tough assignment. But I want to assure you that first, it isn’t any net-fueled prank and second, that it is actually written from start to end by me and not by some algorithm. More on that in a moment.

Today marks the 20th anniversary of Gmail’s creation. Google was playing with fire when it first announced the service in this press release, and the initial reaction was disbelief because of the date. Back then, it was an amazing feat to offer a gigabyte of storage — since expanded to 15 GB for the free tier. This was when many email services had capacity limits of 4MB or so, which seem laughable by today’s standards.

and the ability to search your entire email corpus. Now there are more than 1.5B users around, including myself. (I actually host my domain with Google, which was free until recently.) Here is a screen grab of what it looked like back then.

But there is another and sadder moment that I want to mention.

Over the weekend we lost one of the Great Ones, Dan Lynch, who was the founder of the Interop trade show. He was one of the prime movers behind the commercialization of the internet, back when we all used the capital “I” as befitting its status in society.

I was involved in the show in numerous ways: as a tech journalist (and editor-in-chief of what would become the leading computer networking business publication), as an editorial consultant to help guide the conference program, and as a speaker and lecturer. At its height, Dan put on five shows yearly around the world, and I spoke at many of them. Here is an interesting historical plot of when and where the shows took place.

You can read more about Dan’s accomplishments with this NYT obit written by Katie Hafner. He was 82, from kidney failure.

One of the features of Interop was its ability to force vendors into improving their products in real time, during the several days that the show was running, with what eventually was called the Shownet. In the early days, TCP/IP was still very much an experimental set of protocols and had yet to become the global lingua franca that it is today. The Shownet was born out of the necessity to get better interoperability, hence the show’s name. It began with 300 vendors and eventually blossomed to attract tens of thousands of attendees. This year the show is back from being virtual and being held in Tokyo this summer.

“The Shownet was also often the first place where many router or switch devices ever met a complex topology,” wrote Karl Auerbach, one of the many volunteer engineers who worked on it over the years, “Few saw the almost continuous efforts, done under Dan’s watch, between shows to design, pre-build (in ever larger warehouses), ship, deploy, operate, and then remove. The Shownet trained hundreds of electricians in the arts of network wiring over the years.”

I wanted to talk to Dan as part of an article that I am writing for the Internet Protocol Journal about the history and tenacity of the Shownet, but sadly we weren’t able to connect before his passing. He was truly a force of nature, a force that brought a lot of goodness to the world, and changed it for the better. Many of us owe our career developments, knowledge about computing, and human connections to Dan’s efforts.

So one final note. I came across this coda that explains “human-generated content” on a website by displaying one of three icons. I want to assure you that my website, newsletter, and any work that I produce is 100% written by me, that the people I quote are also actual carbon-based life forms, and no GPUs have been harmed or otherwise employed to produce this work product.

Dark Reading: Corporations With Cyber Governance Create Almost 4X More Value

Public corporations have mostly ignored SEC regs published years ago for improving cybersecurity governance. And while the requirements can be difficult to satisfy, companies that have made the effort created nearly four times their shareholder value compared to those that haven’t. That’s the conclusion of a new survey jointly conducted by Bitsight and Diligent Institute, entitled “Cybersecurity, Audit, and the Board.”  According to the Bitsight report, having separate board committees focused on specialized risk and audit compliance produces the best outcomes. 

You can read my analysis of this report for Dark Reading here.

Dark Reading: Cloud Email Filtering Bypass Attack Works 80% of the Time

A majority of enterprises that employ cloud-based email spam filtering services are potentially at risk, thanks to a rampant tendency to misconfigure them.

Computer scientists have uncovered a shockingly prevalent misconfiguration in popular enterprise cloud-based email spam filtering services, along with an exploit for taking advantage of it. The findings reveal that organizations are far more open to email-borne cyber threats than they know, and will be presented at a conference in May. My post for Dark Reading explains the situation.

Red Cross Volunteer Gives Back as Service to Armed Forces Resiliency Volunteer

There aren’t too many people who have become modern models for dolls produced by the American Girl company, let alone women who have had a long volunteer career with the American Red Cross. But Dorinda Nicholson – the real-life archetype behind the Nanea Mitchell doll – is very much a true story of grit, determination, and turning her survivor’s story into one of exceptional service wherever she goes. I recently wrote a profile of her for our local chapter blog.

What becomes a great leader most?

I keep returning to this meme because it just sounds right. I was reading one of Mark Cuban’s Tweets (or whatever they are now called) last week where he was riffing on qualities he looked for in a great leader. Now, he was talking politics, and I want to remove that context for the moment, because what he is saying has larger implications.

Leadership is something that I am somewhat familiar with: I have run numerous publications over the years, usually as editor-in-chief where I had to hire the staff. Back in 2012, I was selected to a special leadership training program with a cohort of 60 others, drawn from various organizations here in St. Louis. My wife was selected for an earlier cohort and encouraged me to apply, and it was a fantastic experience. I got to meet business, government, and non-profit leaders as they spoke to our class. We tackled some pretty thorny issues and had some amazingly frank discussions, and formed many  enduring friendships.

Cuban’s list gets to the core of what becomes a great leader most. His thesis is that a great leader is someone who he would hire, and understand and appreciate their values. He breaks this down into several categories, with the overriding aspect whether they are lifelong learners, especially in a world that is constantly changing. Being one of these learners, I never really thought that was necessary condition, but as I think about the best leaders that I have known and worked for over the years, I would agree with him on this and the other items on his list:

  • Will the subordinates who worked most closely to this leader come back to work for them in subsequent jobs?

I am proud to say that I have hired several people multiple times over our careers. This is an easy one to spot: the same crew follows a great leader from posting to posting. I wrote about the original crew that I worked with at PC Week back in the mid-1980s when Sam Whitmore, one of the editors, said it was like being in the Beatles. I once wrote about this group of five guys who have started numerous companies over a 20 year span as an extreme example of this.

  • Does this leader take credit or give credit to others?

I have had some really lousy bosses who were credit stealers. And some great bosses who wouldn’t hesitate to give credit where it was due. Another easy one to spot.

  • How a leader treats people who can do nothing for them.

One of the aspects of leadership that I have enjoyed most is developing someone’s skills and having them leave my operation and go on to do great things. I can think of several people that I hired that have blossomed and had amazing careers, and I like to think that I had something to do with that. But that is more a condition of being a great mentor, rather than buying your way into what Tom Wolfe once called “the favor bank.” Wolfe used the concept as a way to build relationships of trust, but it can also go awry if abused.

  • How does a leader handle the criticism that comes with the job?

If you have a thin skin, you aren’t going to last long in any leadership position. You have to roll with the punches.

  • Does a leader hire their staff for loyalty or ability?

This is harder to spot, because sometimes you don’t realize the loyalty connection until it is too late. With one job, I got fired because one of my subordinates was more loyal to my boss than to me. With another job, I eventually quit because this loyalty connection was undermining my ability to lead my team.

  • Does a leader create stress or reduce stress for the people around them?

Another easy one to spot. I wrote about this situation a couple of years ago when I suggested it was time to fire your jerk boss. At one publication where I wasn’t in charge, our leader was really great at creating chaos and pitting one staffer against another, just to see who would triumph. There was always a fire drill, and the fires were always five alarm ones too. It was like everyone had PTSD, it was so stressful. Conversely, a great leader will do the necessary blocking and running interference from their bosses, so the staff is insulated and get the actual work done. This goes hand-in-hand with how a leader handles criticism.

Thanks Mark for such words of wisdom.

Dark Reading: NIST’s Vuln Database Downshifts, Prompting Questions About Its Future

Since 2005, the National Vulnerability Database (NVD) has been posting details about the hundreds of daily common vulnerabilities and exposures (CVEs) discovered by security researchers from around the globe. But last month, the critical government-sponsored database went from being an essential tool to a nearly dark destination. That is when any details in the NVD have been omitted, details that make the vulnerability data useful to enterprise security managers and to the numerous vulnerability management tools that can help prevent potential damages from attackers. My story in Dark Reading tells this sad tale.